[PATCH] wg-quick: linux: add support for nft and prefer it

Vasili Pupkin diggest at gmail.com
Tue Dec 10 18:31:07 CET 2019

On 10.12.2019 18:48, Jason A. Donenfeld wrote:

> restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP
> nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop

I am trying to understand the rulesets. When you check the type of the 
source address of the incoming packet its type just can't be local to 
our machine, it is the address of the sender. The source address of the 
packet can only be local if the packet was sent from the same machine. 
Isn't this part of the rule redundant?

More information about the WireGuard mailing list